[lug] Reporting an Intrusion

Alan Robertson alanr at unix.sh
Tue Sep 13 12:08:23 MDT 2005


Bill Thoen wrote:
> I discovered another hack on my old RH9 system last night but this time I
> learned how they got in and where they came from (via an ISP in
> Scottsdale, AZ.) With some help, I think I got the damage fixed and the
> holes patched, so I think I'm OK for now. Apparently there are some dumb
> things you can do with an otherwise perfectly good installation of PHP,
> and I'm pretty convinced that the last hack I experienced was done the
> same way.
> 
> Anyway, now I'm pissed off. I can report the intrusion with evidence from 
> my logs to the ISP, but I'd like to use a little more force. Since 
> breaking into a computer is a federal crime, is there a law enforcement 
> agency I should report this to, like maybe the FBI? Before I go off 
> half-cocked, what's the proper procedure in terms of reporting and 
> collecting evidence so that there's a chance of getting a conviction 
> should I be able to get any authority to do anything about this?

Assuming you can get anyone interested in prosecuting this case...

Then, what you really wanted to do as I understand it is to remove the 
original hard drive and lock it up where no one else can get at it.

All work afterwards should be done on a copy of the drive.

Which probably means 3 copies of the data:
   - the original disk - untouched
   - a copy for use in analysis
   - Your working drive for getting  on with your life...

You might be able to do with out the analysis copy, but it's a much 
stronger case if you can say "I never touched it except to copy it once".

One can assume that if someone prosecutes, that someone will defend - 
and that they will try and make a lot out of you not being a "security 
professional", and thereby impugn the evidence you so laboriously gathered.

If this guy did it once, he's likely continuing to do it.  That's 
probably your best hope for getting FBI cooperation - that they can use 
your evidence for tracking this guy down - and maybe not in court. 
Assuming they find him, they'll probably watch him and try and catch him 
in the act.  Then they can get clean evidence to go after him with.

But, I suspect (like others) that this isn't too likely.

-- 
     Alan Robertson <alanr at unix.sh>

"Openness is the foundation and preservative of friendship...  Let me 
claim from you at all times your undisguised opinions." - William 
Wilberforce



More information about the LUG mailing list